latrodectus | bbbce5905921a018ce25f9bcbd4674410ec6a554cfea33a18e7cf8a4e520450f

Analysis

max time kernel
1200s
max time network
1203s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
14/08/2024, 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UPDATE-HSYEYDBB.html.lnk
Size

1KB
MD5

ae64124a57d7f5de780f85b7456d90a2
SHA1

ab9a153c0da841ed0cbdd70664a48ba0959eb8a9
SHA256

119f0a88b3366805f6a592742b7ced190010eb98c81f32e251bd42d968b68471
SHA512

0e9ad80748d97e55708bf4939bbe0179d558d643679065c101fa52f861e4d4527cc7bd86795388892f5fd466d2ac959e11f0b89f3c84c673a86d3a62e35ae910

Score

10^/10

latrodectus discovery loader

Malware Config

Extracted

Family

latrodectus

https://mazdakrichest.com/live/

https://riverhasus.com/live/

Signatures

Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Detect larodectus Loader variant 1 3 IoCs

loader

resource	yara_rule
behavioral2/memory/3320-1-0x00000229FE780000-0x00000229FE793000-memory.dmp	family_latrodectus_v1
behavioral2/memory/4448-11-0x000001577F2B0000-0x000001577F2C3000-memory.dmp	family_latrodectus_v1
behavioral2/memory/4448-16-0x000001577F2B0000-0x000001577F2C3000-memory.dmp	family_latrodectus_v1

Blocklisted process makes network request 64 IoCs

flow	pid	Process
11	4448	rundll32.exe
12	4448	rundll32.exe
13	4448	rundll32.exe
14	4448	rundll32.exe
15	4448	rundll32.exe
16	4448	rundll32.exe
17	4448	rundll32.exe
18	4448	rundll32.exe
19	4448	rundll32.exe
20	4448	rundll32.exe
21	4448	rundll32.exe
22	4448	rundll32.exe
23	4448	rundll32.exe
24	4448	rundll32.exe
25	4448	rundll32.exe
26	4448	rundll32.exe
27	4448	rundll32.exe
28	4448	rundll32.exe
29	4448	rundll32.exe
30	4448	rundll32.exe
31	4448	rundll32.exe
32	4448	rundll32.exe
33	4448	rundll32.exe
34	4448	rundll32.exe
35	4448	rundll32.exe
36	4448	rundll32.exe
37	4448	rundll32.exe
38	4448	rundll32.exe
39	4448	rundll32.exe
40	4448	rundll32.exe
41	4448	rundll32.exe
42	4448	rundll32.exe
43	4448	rundll32.exe
44	4448	rundll32.exe
45	4448	rundll32.exe
46	4448	rundll32.exe
47	4448	rundll32.exe
48	4448	rundll32.exe
49	4448	rundll32.exe
50	4448	rundll32.exe
51	4448	rundll32.exe
52	4448	rundll32.exe
53	4448	rundll32.exe
54	4448	rundll32.exe
55	4448	rundll32.exe
56	4448	rundll32.exe
57	4448	rundll32.exe
58	4448	rundll32.exe
59	4448	rundll32.exe
60	4448	rundll32.exe
61	4448	rundll32.exe
62	4448	rundll32.exe
63	4448	rundll32.exe
64	4448	rundll32.exe
65	4448	rundll32.exe
66	4448	rundll32.exe
67	4448	rundll32.exe
68	4448	rundll32.exe
69	4448	rundll32.exe
70	4448	rundll32.exe
71	4448	rundll32.exe
72	4448	rundll32.exe
73	4448	rundll32.exe
74	4448	rundll32.exe

Loads dropped DLL 1 IoCs

pid	Process
4448	rundll32.exe

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3320	rundll32.exe
3320	rundll32.exe
3320	rundll32.exe
3320	rundll32.exe
4448	rundll32.exe
4448	rundll32.exe
4448	rundll32.exe
4448	rundll32.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 3320	4800	cmd.exe	79
PID 4800 wrote to memory of 3320	4800	cmd.exe	79
PID 3320 wrote to memory of 4448	3320	rundll32.exe	80
PID 3320 wrote to memory of 4448	3320	rundll32.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\UPDATE-HSYEYDBB.html.lnk
1⤵
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" version1.dll, scab
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_fbe146ab.dll", scab
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Custom_update\Update_fbe146ab.dll

Filesize
1.4MB

MD5
f834dfc1861cd6361f34496c3bbafe66

SHA1
a983e82d009901310c8a3255c4b4e3a02d556fa7

SHA256
e99f3517a36a9f7a55335699cfb4d84d08b042d47146119156f7f3bab580b4d7

SHA512
088a6170c948ddb2c2b0cf2431ae61688201ef5bc3f1af217a58bf18b26dd9e0ab7ee082f822e736d0467f62e33bf71b806127eb998bed8e739c1e441ac05e00

Download Submit
memory/3320-0-0x00000229FE770000-0x00000229FE774000-memory.dmp

Filesize
16KB

Download
memory/3320-1-0x00000229FE780000-0x00000229FE793000-memory.dmp

Filesize
76KB

Download
memory/3320-7-0x0000000180000000-0x000000018016F000-memory.dmp

Filesize
1.4MB

Download
memory/4448-11-0x000001577F2B0000-0x000001577F2C3000-memory.dmp

Filesize
76KB

Download
memory/4448-16-0x000001577F2B0000-0x000001577F2C3000-memory.dmp

Filesize
76KB

Download